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Abstract 

The  Insider  Threat  Study,  conducted  by  the  U.S.  Secret  Service  and  Carnegie  Mellon  University’s 
Software  Engineering  Institute  CERT  Program,  analyzed  insider  cyber  crimes  across  U.S. 
critical  infrastructure  sectors.  The  study  indicates  that  management  decisions  related  to 
organizational  and  employee  performance  sometimes  yield  unintended  consequences  magnifying 
risk  of  insider  attack.  Lack  of  tools  for  understanding  insider  threat,  analyzing  risk  mitigation 
alternatives,  and  communicating  results  exacerbates  the  problem.  The  goal  of  Carnegie  Mellon 
University’s  MERIT  (Management  and  Education  of  the  Risk  of  Insider  Threat)  project  is  to 
develop  such  tools. 4  MERIT  uses  system  dynamics  to  model  and  analyze  insider  threats  and 
produce  interactive  learning  environments.  These  tools  can  be  used  by  policy  makers,  security 
officers,  information  technology,  human  resources,  and  management  to  understand  the  problem 
and  assess  risk  from  insiders  based  on  simulations  of  policies,  cultural,  technical,  and 
procedural  factors.  This  paper  describes  the  MERIT  insider  threat  model  and  simulation  results. 


1  Introduction 

Insiders,  by  virtue  of  legitimate  access  to  their  organizations’  information,  systems,  and 
networks,  pose  a  significant  risk  to  employers.  Employees  experiencing  financial  problems  have 
found  it  easy  to  use  the  systems  they  use  at  work  everyday  to  commit  fraud.  Other  employees, 
motivated  by  financial  problems,  greed,  or  the  wish  to  impress  a  new  employer,  have  stolen 
confidential  data,  proprietary  information,  or  intellectual  property  from  their  employer.  Lastly, 
technical  employees,  possibly  the  most  dangerous  because  of  their  intimate  knowledge  of  an 
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organization’s  vulnerabilities,  have  used  their  technical  ability  to  sabotage  their  employer’s 
system  or  network  in  revenge  for  some  negative  work-related  event. 

In  January  2002  the  Carnegie  Mellon  University  Software  Engineering  Institute’s  CERT  Program 
(CERT)  and  the  United  States  Secret  Service  (USSS)  National  Threat  Assessment  Center 
(NTAC)  started  a  joint  project,  the  Insider  Threat  Study5.  The  study  combined  NTAC’s  expertise 
in  behavioral  psychology  with  CERT’s  technical  security  expertise  to  provide  in-depth  analysis 
of  approximately  150  insider  incidents  that  occurred  in  critical  infrastructure  sectors  between 
1996  and  2002.  Analysis  included  perusal  of  case  documentation  and  interview  of  personnel 
involved  in  the  incident. 

Two  reports  have  been  published  to  date  as  part  of  the  Insider  Threat  Study,  one  analyzing 
malicious  insider  incidents  in  the  banking  and  finance  sector  (Randazzo  et  al.  2004),  and  one 
analyzing  insider  attacks  across  all  critical  infrastructure  sectors  where  the  insider’s  intent  was  to 
hann  the  organization,  an  individual,  or  the  organization’s  data,  information  system,  or  network 
(Keeney  et  al.  2005).  Two  additional  reports  will  be  published  in  2006:  one  specific  to  the 
information  technology  and  telecommunications  sector,  and  one  for  the  government  sector. 

The  reports  include  statistical  findings  and  implications  regarding  technical  details  of  the 
incidents;  detection  and  identification  of  the  insiders;  nature  of  harm;  as  well  as  insider  planning, 
communication,  behavior,  and  characteristics.  The  reports  have  been  well-received  across  several 
stakeholder  domains  including  the  business  community,  technical  experts,  and  security  officers. 
Our  fear  is  that  practitioners  will  mistakenly  interpret  the  results  as  stand-alone  statistics  and 
assign  consideration  of  individual  implications  to  various  departments  within  the  organization 
instead  of  taking  a  holistic,  enterprise-wide  approach  to  mitigating  insider  threat  risk. 

The  results  of  the  Insider  Threat  Study  show  that  to  detect  insider  threats  as  early  as  possible  or 
to  prevent  them  altogether,  management,  IT,  human  resources,  security  officers,  and  others  in  the 
organization  must  understand  the  psychological,  organizational,  and  technical  aspects  of  the 
problem,  as  well  as  how  they  coordinate  their  actions  over  time.  CERT  staff  felt  strongly  that  an 
important  next  step  in  our  insider  threat  research  was  development  of  innovative  communication, 
education,  and  training  materials  to  address  this  issue.  After  researching  potential  methods  and 
tools  that  could  be  used  for  this  purpose,  system  dynamics  was  chosen  for  its  strengths  in 
modeling  and  simulation  of  complex  problems. 

This  paper  describes  the  MERIT  project.  MERIT  stands  for  the  Management  and  Education  of 
the  Risk  of  Insider  Threat.  The  project  goal  is  to  develop  a  system  dynamics  model  that  can  be 
used  to  better  communicate  the  risks  of  the  insider  sabotage  threat  to  an  organization’s 
information,  systems,  or  networks.  Section  2  motivates  the  use  of  modeling  and  simulation  to 
leam  about  complex  systems,  such  as  the  problem  of  insider  sabotage  and  its  mitigation.  Section 
3  describes  in  greater  detail  the  Insider  Threat  Study  and  related  research  being  conducted  by 
CERT.  Section  4  describes  a  fictional  case  used  as  a  basis  for  the  MERIT  training  materials  and 
model  development;  the  case  is  described  more  fully  in  Appendix  A.  Section  5  describes  the 
primary  assumptions  and  scope  of  the  MERIT  model.  Sections  6  through  8  describe  the 
behavioral,  attack  and  defense  aspects  of  the  model,  respectively.  Section  9  shows  how  the 
model  can  be  used  to  generate  the  problematic  behavior  of  the  fictional  case.  Appendix  B 


5  The  Insider  Threat  Study  was  funded  by  the  USSS,  as  well  as  the  Department  of  Homeland  Security,  Office  of 
Science  and  Technology,  which  provided  financial  support  for  the  study  in  fiscal  years  2003  and  2004. 
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contains  a  comprehensive  overview  of  the  MERIT  model.  Section  10  describes  conclusions  that 
can  be  drawn  from  the  current  model,  and  work  that  remains  to  be  done.  Section  11  contains 
acknowledgements  of  researchers  and  organizations  that  have  contributed  to  this  work.  Section 
12  contains  a  list  of  references. 

2  Simulation-Based  Learning 

Any  organization  using  a  computerized  network  represents  a  complex  system  involving  both 
people  and  technology.  Each  employee  navigates  the  network  with  a  unique  level  of  access  and 
set  of  authorized  capabilities  that  may  change  over  time.  Each  organization  exercises  a  policy  to 
optimize  productivity  while  guaranteeing  security,  whether  or  not  such  a  policy  is  well- 
developed  and  implemented.  While  there  are  many  such  systems,  and  thus  a  wealth  of  common 
experience  based  on  which  to  leam  the  important  components  of  a  good  security  policy,  it  is  not 
a  given  that  all  organizations  manage  this  learning  well. 

Sterman  (2006)  describes  three  challenges  to  implementing  good  policy  based  on  lessons  learned 
from  interactions  in  complex  systems.  First,  one  cannot  draw  lessons  learned  unless  one  has 
good  data.  Second,  one  cannot  learn  from  experience,  even  with  good  data,  unless  one  can 
derive  good  lessons  from  that  data.  Finally,  one  cannot  implement  good  policy  based  on  lessons 
learned,  unless  stakeholders  in  the  system  are  involved  politically  in  policy  development. 

Stennan  makes  compelling  arguments  that  all  three  of  these  efforts  are  hindered  by  the 
characteristics  of  complex  systems.  Unlike  the  scientific  laboratory,  in  which  variables  can  be 
isolated  and  controlled,  the  networked  organization  presents  serious  challenges  to  the  gathering 
of  valid,  reliable,  and  easily  interpretable  data  from  which  one  can  draw  clear  conclusions. 
Unambiguous  data  are  difficult  to  gather  because  a  complex  system,  such  as  a  networked 
organization,  involves  cause  and  effect  interactions  across  many  time  scales,  locations,  and  areas 
of  expertise.  In  addition,  complex  systems  not  only  respond  to  the  decisions  taken  by  the  learner 
but  to  decisions  taken  by  other  agents  in  response.  Finally,  one  cannot  afford  to  make  risky 
extreme  decisions  even  though  these  might  yield  good  data  for  learning,  because  of  the  ethical 
and  logistical  implications  of  experimenting  with  real  organizations.  As  a  result,  the  specific 
results  of  any  action  taken  are  difficult  to  discern. 

Even  with  good  data,  learning  isn’t  guaranteed.  To  derive  lessons  learned,  one  would  first  form 
hypotheses  about  system  behavior,  gather  data,  and  reflect  on  whether  the  results  matched  those 
predicted.  Finally,  one  would  update  one’s  mental  model  after  reflecting  deeply  on  any 
discrepancies,  in  a  form  of  double-loop  learning  (Argyris  &  Schon,  1974). 

Sterman  reviews  research  from  the  psychological  literature  (e.g.,  Wason,  1966;  Kahneman  & 
Tversky,  1982)  indicating  that  people  are  not  normally  prone  to  gather  data  that  might  disconfirm 
their  hypotheses,  especially  not  in  public  (Tedeschi,  1981)  or  working  in  groups  (Janis  &  Mann, 
1977).  When  making  judgments,  we  tend  to  use  simplifying  rules-of-thumb  that  may  be  efficient 
but  are  often  biased  (Kahneman  &  Tversky,  1982).  Finally,  not  only  do  we  avoid  looking  where 
disconfinning  evidence  might  be,  we  also  respond  in  ways  that  force  the  system  to  exhibit  types 
of  behavior  that  confirm  our  earlier  biased  beliefs  (Rosenthal  &  Jacobson,  1968). 

Sterman  (2006)  advocates  the  use  of  virtual  worlds  to  overcome  our  inability  to  leam  in  complex 
systems.  These  need  not  be  computer  simulations,  as  they  can  be  role-play  games  or  physical 
model  environments  as  well.  In  simulations,  distinguished  from  games  by  their  verisimilitude 
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enabling  knowledge  transfer  beyond  the  environment  (Lane,  1995),  it  is  possible  to  set  up  a 
closed  environment  with  known  assumptions.  One  can  then  test  the  impact  of  policies  without 
the  distortion  of  statistical  error  and  reflect  on  the  outcomes  resulting  only  from  one’s  own 
actions. 

Lane  (1995)  reviews  the  history  of  such  simulations  and  describes  the  value  of  using  these  to 
provide  managers  with  an  intellectually  and  emotionally  rich  and  engaging  educational 
experience.  Lane  points  that  the  low  cost  and  unambiguous  feedback  afforded  can  be  “more 
helpful  than  reality,”  as  long  as  certain  caveats  are  considered.  The  model  should  represent  the 
relevant  environment  with  fidelity,  the  simulation  instructions  should  be  clear,  the  simulation 
objective  (such  as  maximizing  productivity  and  minimizing  risk  and  cost)  measurable  and  known 
to  the  user,  and  there  must  be  an  opportunity  for  debriefing  or  reflection.  In  addition,  Lane  notes 
that  simulations  provide  common  metaphors  for  communication  about  insights  or  lessons 
learned. 

Groessler  (2004)  elaborates  on  fifteen  issues  that  should  be  considered  when  designing  such 
simulations  for  training. 

•  The  first  five  concern  the  characteristics  of  the  model,  and  pertaining  to  how  well  it 
balances  the  fidelity  to  the  context  with  the  necessity  for  simplification  so  that  lessons 
can  be  learned.  The  model  should  be  validated  against  real  cases  without  so  much 
complexity  as  to  overwhelm  the  user. 

•  The  second  five  address  the  characteristics  of  the  trainees,  balancing  the  cognitive 
complexity  of  the  task  with  the  users’  learning  styles.  The  simulation  should  be  part  of  a 
larger  interactive  learning  environment  allowing  individuals  many  ways  to  glean  insights 
from  using  it. 

•  The  third  five  address  whether  the  interactive  learning  environment  encourages  good 
engagement  with  the  task  and  reflection  on  lessons  learned.  Users  of  the  simulation 
should  have  the  opportunity  to  monitor  indicators  of  success  and  should  be  given 
opportunities  to  reflect  on  their  hypotheses  and  the  results  of  their  experiments. 

3  Origins  of  CERT  Research 

The  Security  Dynamics  Network  is  a  collaborating  network  of  institutions  and  associated 
researchers  using  system  dynamics  modeling  to  explore  risk  dynamics,  focusing  on 
cybersecurity.  Its  members  include  University  at  Albany;  Agder  University  College;  TECNUN, 
University  of  Navarra;  Worcester  Polytechnic  Institute;  Sandia  National  Labs;  Argonne  National 
Labs;  and  Carnegie  Mellon  University.  The  network  was  created  in  2004  after  members  of  the 
group  convened  several  workshops  to  model  various  aspects  of  the  insider  threat  (Melara  2003; 
Anderson  2004;  Rich  2005). 

Convinced  that  system  dynamics  modeling  was  a  viable  mechanism  for  transitioning  our  insider 
threat  knowledge,  CERT  sought  funding  for  development  of  a  prototype  interactive  learning 
environment  (ILE)  based  on  empirically  validated  models  of  the  insider  threat  problem 
developed  using  Insider  Threat  Study  data.6  The  purpose  of  MERIT  is  to  develop  an  ILE  using 


6  An  interactive  learning  environment  (ILE)  is  a  process  for  educational  learning  that  allows  the  instructor  and 
student  to  negotiate  the  context  of  the  curriculum  in  the  real-time. 
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system  dynamics  for  hands-on  analysis  of  the  effects  of  policy,  technical,  and  countermeasure 
decisions  on  malicious  insider  activity.  It  will  provide  a  means  to  communicate  insider  threat 
risks  and  tradeoffs,  benefiting  technical  and  non-technical  personnel,  from  system  administrators 
to  corporate  CEOs.  The  MERIT  project  was  funded  by  CyLab  at  the  Carnegie  Mellon  University. 

At  about  the  same  time  the  MERIT  project  was  initiated,  the  CERT  insider  threat  team  was 
funded  by  the  U.S.  Department  of  Defense  Personnel  Security  Research  Center  (PERSEREC)  for 
another  system  dynamics  modeling  project.  That  work  is  part  of  an  ongoing  partnership  between 
CERT  and  PERSEREC  in  response  to  recommendations  in  the  2000  DoD  Insider  Threat 
Mitigation  report.7  The  purpose  of  the  PERSEREC/CERT  project  is  to  develop  two  system 
dynamics  models  based  on  actual  case  data  -  one  for  insider  IT  sabotage  and  one  for  espionage  - 
and  then  compare  and  contrast  the  models.  The  comparison  could  identify  countermeasures  that 
could  be  useful  for  mitigating  both  risk  of  insider  IT  sabotage  and  espionage  in  the  DOD. 

CERT  researchers  believed  that  the  scope  of  MERIT  should  initially  be  limited  to  a  well-defined 
subset  of  the  150  cases  from  the  Insider  Threat  Study.  Because  a  model  of  insider  IT  sabotage 
could  be  used  for  both  the  MERIT  and  PERSEREC  projects,  the  CERT  research  team  decided  to 
first  focus  MERIT  on  insider  IT  sabotage  cases.  As  a  result,  a  base  model  is  being  developed  for 
insider  IT  sabotage  that  can  be  used  for  both  projects. 

One  unique  aspect  of  the  Insider  Threat  Study  that  was  a  key  to  its  success  was  the  equal 
attention  to  both  the  technical  and  psychological  aspects  of  the  problem.  MERIT  allowed  the 
CERT  team  to  realize  unexpected  benefits  from  the  overlap  with  the  PERSEREC  project. 
CERT’s  technical  security  expertise  was  augmented  with  expertise  from  several  organizations  in 
the  areas  of  psychology,  insider  threat,  espionage,  and  cyber  crime.  Therefore,  the  system 
dynamics  model  for  insider  IT  sabotage  being  developed  for  both  MERIT  and  PERSEREC 
benefits  from  a  broad  range  of  experience  regarding  the  technical,  psychological,  and 
organizational  factors  influencing  insider  threat  risk. 

3.1  Key  Findings  from  the  Insider  Threat  Study 

We  base  our  system  dynamics  models  on  findings  from  the  Insider  Threat  Study,  in  particular 
those  cases  involving  insider  sabotage.  These  were  among  the  more  technically  sophisticated 
attacks  perpetrated  in  the  study  and  resulted  in  substantial  hann  to  organizations.  In  the  49  cases 
studied,  81  percent  of  the  organizations  that  were  attacked  experienced  a  negative  financial 
impact  as  a  result  of  insider  activities.  The  losses  ranged  from  a  low  of  $500  to  a  high  of  “tens  of 
millions  of  dollars.”  Seventy-five  percent  of  the  organizations  experienced  some  impact  on  their 
business  operations.  Twenty-eight  percent  of  the  organizations  experienced  a  negative  impact  to 
their  reputations.  The  statistics  in  this  section  come  from  the  CERT/USSS  Insider  Threat  Study 
report  on  insider  sabotage  (Keeney  2005). 

The  first  step  taken  in  modeling  insider  IT  sabotage  was  to  identify  the  key  findings  to  be 
reflected  in  our  system  dynamics  model.  A  summary  follows: 

Insiders  were  disgruntled  and  motivated  by  revenge  for  a  negative  work-related  event.  Fifty- 
seven  percent  of  the  insiders  who  committed  IT  sabotage  were  disgruntled.  Eighty-four  percent 
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were  motivated  by  revenge,  and  92%  of  all  of  the  insiders  attacked  following  a  negative  work- 
related  event  like  tennination,  dispute  with  a  current  or  former  employer,  demotion,  or  transfer. 

Insiders  exhibited  concerning  behavior  prior  to  the  attack.  Eighty  percent  of  the  insiders 
exhibited  concerning  behavior  prior  to  the  attack,  including  tardiness,  truancy,  arguments  with 
coworkers,  and  poor  job  perfonnance. 

Insiders  who  committed  IT  sabotage  held  technical  positions.  Eighty-six  percent  of  the  insiders 
held  technical  positions.  Ninety  percent  of  them  were  granted  system  administrator  or  privileged 
system  access  when  hired  by  the  organization. 

The  majority  of  the  insiders  attacked  following  termination.  Fifty-nine  percent  of  the  insiders 
were  former  employees,  57%  did  not  have  authorized  system  access  at  the  time  of  the  attack,  and 
64%  used  remote  access.  Many  used  privileged  system  access  to  take  technical  steps  to  set  up  the 
attack  before  termination.  For  example,  insiders  created  a  backdoor  account8,  installed  and  ran  a 
password  cracker9,  took  advantage  of  ineffective  security  controls  in  termination  processes,  or 
exploited  gaps  in  their  organization’s  access  controls. 

3.2  Targeted  Lessons  for  Training 

Based  on  the  above  findings,  the  MERIT  team  determined  that  the  most  important  lessons  to  be 
conveyed  in  the  interactive  learning  environment  (ILE)  are  the  following: 

Disabling  access  following  termination  is  important;  in  order  to  do  so  effectively  organizations 
must  have  full  awareness  of  all  access  paths  available  to  each  of  their  employees.  (See  Section 
5.4  for  an  explanation  of  access  paths).  Since  so  many  acts  of  insider  sabotage  were  committed 
following  termination,  the  MERIT  ILE  must  emphasize  the  importance  of  completely  disabling 
access  upon  termination,  a  task  that  is  often  easier  said  than  done.  Many  of  the  attacks  in  the 
Insider  Threat  Study  were  possible  because  the  employer  did  not  know  all  of  the  access  paths 
available  to  their  employees. 

For  example,  system  administrators  created  backdoor  accounts  with  system  administrator 
privileges,  knowing  that  because  account  audits  were  not  conducted  the  account  would  not  be 
detected  and  would  facilitate  the  attack  following  tennination.  Other  privileged  users  planted 
logic  bombs  -  malicious  code  implanted  on  a  target  system  and  configured  to  execute  at  a 
designated  time  or  on  occurrence  of  a  specified  system  action.  Often  the  insider  configured  the 
logic  bomb  to  execute  following  termination,  knowing  that  no  characterization  and  configuration 
management  procedures10  were  in  place  to  detect  the  malicious  code.  Other  technical  insiders 
were  able  to  use  passwords  for  shared  accounts  because  there  was  no  formal  tracking  mechanism 
for  access  to  those  accounts.  Therefore  they  were  overlooked  upon  termination. 

The  ILE  must  emphasize  the  importance  of  proactive,  ongoing,  rigorous  access  management 
practices  to  facilitate  complete  disabling  of  access  upon  termination. 


8  A  backdoor  account  is  an  unauthorized  account  created  for  gaining  access  to  a  system  or  network  known  only  to 
the  person  who  created  it. 

9  A  password  cracker  is  a  program  used  to  identify  passwords  to  a  computer  or  network  resource;  used  to  obtain 
passwords  for  other  employee  accounts. 

10  Characterization  and  configuration  management  refers  to  procedures  and  software  that  track  releases  and  changes 
to  software  or  system  components  so  that  unauthorized  access  can  be  prevented  or  appropriate  users  alerted  when  a 
fde  has  been  modified  or  released. 
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Management  should  carefully  consider  concerning  behavior  by  an  employee  who  appears  to  be 
disgruntled  following  a  negative  work-related  event,  possibly  increasing  monitoring  of  the 
employee  s  online  activity.  It  is  not  practical  for  organizations  to  monitor  all  online  activity  for  all 
employees  all  of  the  time.  Determining  the  appropriate  balance  between  proactive  system 
monitoring  and  other  duties  of  the  IT  or  technical  security  staff  is  a  difficult  task  in  any 
organization.  However,  almost  all  insiders  in  the  Insider  Threat  Study  sabotage  cases  exhibited 
concerning  social  behavior  prior  to  the  attack.  Therefore,  an  important  lesson  to  be  conveyed  by 
the  MERIT  ILE  is  that  organizations  should  maintain  awareness  of  employee  dissatisfaction  and 
evaluate  concerning  behavior.  Targeted  monitoring  of  online  activity  by  employees  of  concern 
can  prevent  insider  sabotage  by  detecting  technical  precursor  activity  immediately. 

4  Fictional  Case  for  Training:  iAssemble,  Inc. 

As  mentioned  earlier,  an  interactive  learning  environment  for  training  on  insider  threat  is  more 
effective  when  combined  with  a  concrete  case  example  that  clearly  illustrates  the  relationship 
between  aspects  of  the  insider  threat  and  the  effectiveness  of  various  measures  to  counter  the 
threat.  However,  the  sensitivity  of  actual  Insider  Threat  Study  case  data  precludes  the  use  of 
actual  cases  for  training.  We  therefore  developed  a  fictional  case  scenario  that  is  representative  of 
a  preponderance  of  actual  cases  of  insider  sabotage  from  the  Insider  Threat  Study. 

The  following  characteristics  of  our  fictional  case  are  important: 

•  Effective  access  management  practices  that  degrade  over  time  due  to  competing  priorities 

•  Increased  acting  out  (concerning  behavior)  by  insider 

•  Increased  tension  between  insider,  staff,  and  managers 

•  Ineffective  management  response  that  would  address  concerning  behavior  exhibited  by 
disgruntled  employee 

•  Increased  data  gathering  by  insider 

•  Undetected  escalation  of  access  by  insider 

•  False  perception  by  management  underestimating  insider  access 

•  Punitive  actions  seem  ineffective  to  management,  provocative  to  insider 

The  fictional  organization  is  called  iAssemble,  Inc. 1 1  The  full  text  of  the  iAssemble  case  example 
appears  in  Appendix  A.  A  summary  of  the  case  follows: 

iAssemble  sold  computer  systems  directly  to  customers;  building  each  system  made-to-order  at 
competitive  prices.  Ian  Archer,  the  insider  threat  actor ;  had  been  with  iAssemble  since  its 
founding  and  was  the  sole  system  administrator.  The  environment  at  iAssemble  was  traditionally 
very  relaxed.  However,  recent  substantial  company  growth  resulted  in  a  different  culture,  as  well 
as  new  management  who  hired  a  new  lead  system  administrator  over  Archer. 

This  action  triggered  Archer  s  disgruntlement,  feeling  his  hard  work  over  the  years  was  not 
appreciated.  In  addition,  the  new  lead  system  administrator  restricted  the  privileges  of  all 
iAssemble  employees,  including  Archer.  Archer  vented  his  anger  by  openly  harassing  individuals 
and  purposely  stalling  progress  on  important  projects.  A  performance  improvement  plan  was 


1 1  The  iAssemble  organization  and  case  example  are  completely  fictional,  any  unintentional  resemblance  to  a  real 
organization  or  insider  threat  case  is  unintentional. 
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instituted  by  Archer’s  new  manager  with  disciplinary  actions  including  written  warnings,  a 
temporary  suspension,  and  reduction  in  his  salary.  Suspecting  he  would  soon  be  fired,  Archer- 
created  a  backdoor  with  system  administrator  privileges  on  i Assemble  s  server  for  later  access 
should  his  authorized  access  be  disabled  or  his  administrative  privileges  be  revoked. 

Management’s  increased  sense  of  risk  of  malicious  activity  by  Archer  led  them  to  ramp  up  audits 
of  access  control  quality  and  access  management.  Unfortunately  these  measures  were  put  in 
place  too  late  to  prevent  or  detect  Archer’s  backdoor  installation.  When  management  fired 
Archer  they  disabled  all  known  access  paths.  But  unknown  to  management,  a  coworker  had 
shared  his  password  with  Archer  to  increase  productivity  for  their  project  team.  Archer  used  that 
password  to  log  in  remotely  to  the  coworker  s  machine  the  night  of  his  firing.  Using  the  backdoor 
account  he  installed  a  logic  bomb  on  the  machinery  server,  set  to  detonate  three  months  later. 

The  logic  bomb  deleted  all  the  files  on  the  machinery  and  backup  servers  leaving  the  assembly 
lines  at  iAssemble  frozen.  An  investigation  revealed  that  access  control  policies  and  practices 
had  eroded  over  time.  The  investigation  lead  to  the  arrest  of  Ian  Archer,  but  iAssemble  was  left 
on  shaky  ground,  causing  share  prices  to  plummet.  Their  image  in  the  market  was  blemished  and 
stockholders  demanded  detailed  explanations  from  company  management. 

iAssemble  s  decision  to  increase  monitoring  and  auditing  was  the  right  one  -  the  steps  they  took 
increased  management’s  knowledge  of  employees’  access  paths.  However,  the  gap  between 
management’s  knowledge  of  Archer’s  access  paths  and  his  actual  access  was  not  fully  eliminated 
when  he  was  fired,  so  iAssemble  could  not  disable  all  of  his  access  paths  in  time.  Hence,  Archer 
was  able  take  advantage  of  the  residual  access  that  he  had  to  attack  following  termination. 

We  believe  that  the  iAssemble  case  provides  a  coherent  and  well-grounded  basis  for  training  on 
the  access  management  issues  relevant  to  insider  sabotage  and  is  representative  in  character  (but 
not  necessarily  detail)  of  many  of  the  actual  cases  that  we  have  seen. 

5  Model  Assumptions 

The  following  assumptions  are  key  to  understanding  the  dynamics,  relationships,  and  conditions 
in  the  MERIT  model  related  to  insider  IT  sabotage  and  countermeasures. 

5.1  Scope 

The  model  begins  with  the  insider  at  his  or  her  highest  position  in  the  organization.  Since  most 
insiders  became  disgruntled  and  attacked  in  their  current  position,  they  tended  not  to  carry  over 
problems  from  their  previous  position.  While  the  time  periods  related  to  firing  and  demotion  are 
important  in  the  model,  hiring  is  not,  because  significant  triggering  events  related  to  the  attack  or 
prompting  the  desire  to  attack  did  not  typically  occur  soon  after  being  hired.  Also  within  the 
model  scope  is  a  negative  work-related  event  that  causes  the  insider  to  feel  dissatisfied  toward 
the  organization,  supervisors,  or  co-workers.  Tennination  or  demotion  is  frequently  the  last 
negative  work-related  event  triggering  the  insider  attack. 

5.2  Organization 

Key  to  the  model  is  the  organization’s  knowledge  of  insider  access  rights  and  privileges,  rather 
than  the  authorization  for  and  legitimacy  of  insider  actions.  Most  organizations  have  the  ability 
to  track,  monitor,  and  identify  access  paths  for  employees,  but  they  can  either  be  unaware  of  or 
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forget  access  paths  available  to  employees  due  to  poor  security  management  practices.  In 
addition,  practices  such  as  security  awareness  and  education,  account  management,  and 
personnel  behavioral  management,  play  an  important  role  in  the  model.  Access  control  is  key 
because  insiders  require  access  to  perfonn  their  job  functions  but  can  also  use  this  access  to 
attack.  Therefore,  imperfect  states  of  practice,  particularly  with  regard  to  access  control,  have  a 
heavy  influence  in  the  model.  Access  control  may  not  be  perfect  at  the  start  of  the  simulation. 

5.3  Insiders 

The  next  group  of  assumptions  deals  with  the  insiders  themselves:  their  means,  motives,  and 
opportunities.  The  model  assumes  that  insiders  work  alone  in  attacking  the  organization  and  do 
not  collude;  this  assumption  is  supported  by  most  of  the  cases  examined  in  the  Insider  Threat 
Study.  The  method  by  which  the  insider  attempts  to  attack  the  organization  is  typically  limited  to 
the  skill  sets,  experiences,  and  education  exhibited  while  still  an  employee  with  the  organization. 
An  insider  may  attempt  or  succeed  at  gaining  more  access  than  his  organization  authorizes,  but 
he  will  seek  to  gain  this  access  within  the  confines  of  their  current  skill  set,  experience,  and 
education. 

Insiders  tend  to  feel  entitled  to  perform  certain  actions  or  act  in  a  specific  way,  and  this 
entitlement  escalates  over  time.  If  they  do  not  receive  reprimands,  sanctions,  or  correction, 
insiders  begin  to  feel  that  they  have  the  organization’s  authorization  to  behave  irregularly.  When 
insiders  are  penalized  or  corrected  they  may  react  negatively  and  cause  further  behavioral 
disruption  or  commit  technical  sabotage. 

5.4  Access 

Ironically,  while  access  is  granted  as  a  necessary  course  of  conducting  business  operations,  it  is 
also  one  of  the  most  essential  elements  of  insider  attacks.  Access  to  information  and  systems 
allows  employees  to  read,  modify,  and  delete  business  and  system  data.  The  following  section 
expands  on  employee  access  paths,  frequently  used  to  conduct  attacks. 

5.4.1  Access  paths 

In  the  MERIT  model,  access  is  provided  through  “access  paths”:  a  set  of  one  or  more  access 
points  leading  to  a  critical  system.  Examples  of  points  along  access  paths  are  employee  badges, 
computer  accounts,  passwords,  and  Virtual  Private  Networks  (VPN).  The  model  presumes  that 
the  insider  obtains  access  in  one  of  three  ways  -  access  paths  are  granted  by  the  organization, 
created  by  the  insider,  or  discovered  by  the  insider.  Access  paths  can  be  known  or  unknown  to 
the  organization.  An  access  path  that  is  unknown  to  management  is  not  necessarily  illegitimate, 
but  organizations  should  reduce  unknown  access  paths  by  identifying  them,  reviewing  each  for 
validity,  and  disabling  those  without  a  justified  business  need. 

Granted  paths  are  those  authorized  by  the  organization.  For  example,  a  granted  access  path  for  a 
web  server  administrator  could  be  software  and  hardware  used  to  publish  corporate  web  pages. 
One  problem  with  granted  access  paths,  illustrated  in  the  model,  is  that  organizations  can  lose 
track  of  their  existence  if  formal  tracking  procedures  are  not  enforced.  An  example  of  a  forgotten 
path  is  a  privileged  shared  account  created  for  a  team  of  software  developers  for  the  duration  of  a 
project  that  is  not  removed  or  restricted  after  the  project  tenninates. 
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Created  paths  are  those  established  by  an  employee,  such  as  computer  accounts  that  are  created 
or  hacking  tools  that  are  installed  on  the  system  by  the  insider.  Created  paths  can  be  authorized 
or  unauthorized,  and  the  organization  may  or  may  not  know  of  their  existence. 

Discovered  paths  are  existing  paths  revealed  to  or  discovered  by  an  employee.  Although  they  can 
be  used  for  malicious  insider  actions,  they  may  not  have  been  created  with  malicious  intent.  An 
example  of  a  discovered  access  path  is  one  that  is  found  when  an  employee  learns  that  he  can 
access  information,  resources,  or  network  services  he  did  not  know  existed  or  for  which  he  did 
not  know  he  had  legitimate  access. 

Other  access  path  assumptions  in  the  model  include: 

1.  Insiders  can  lose  some  or  all  of  their  access  paths,  as  well  as  the  ability  to  create  new 
paths. 

2.  Insiders  who  are  demoted  or  tenninated  may  retain  the  ability  to  create  or  use  access 
paths  for  which  they  are  no  longer  authorized  because  of  a  lapse  in  procedure  or  practice. 

3.  It  takes  time  for  organizations  to  recover  from  poor  access  management. 

4.  Effectively  disabling  of  access  paths  requires  that  management  have  full  awareness  of  all 
paths  available  to  the  employee,  and  the  employee’s  ability  to  create  new  paths. 

5.  Even  without  deliberate  action  by  an  insider  to  obtain  a  higher  level  of  access,  there  tends 
to  be  a  gradual  increase  in  the  number  of  access  paths  available  to  an  insider  over  time. 

5.5  Defenses 

The  final  assumption  pertaining  to  the  model  deals  with  organizational  defenses  and  responses  to 
unacceptable  employee  behavior.  Organizations  typically  use  administrative,  physical,  and 
technical  controls  to  deter,  prevent,  detect,  and  respond  to  attacks  on  information  and  systems, 
including  insider  attacks.  The  MERIT  model  focuses  on  administrative  and  technical  controls, 
since  physical  controls  were  not  a  predominant  factor  in  most  cases  in  the  Insider  Threat  Study. 

Administrative  and  technical  controls  relevant  to  mitigating  risk  of  insider  threat  in  the  MERIT 
model  are  described  in  Table  1 . 
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Policy  Lever 

Description 

Effect 

employee 

intervention 

Positive  interventions  like  employee 
assistance  or  counseling  that  attempt  to 
lower  disgruntlement  directly,  to 
reduce  inappropriate  behavioral  or 
technical  actions  by  insider. 

May  not  be  effective  if  quality  of 
intervention  is  low. 

sanctioning 

Punitive  measures  that  attempt  to 
motivate  the  insider  to  reduce  his 
inappropriate  behavioral  or  technical 
actions  to  avoid  additional  sanctioning. 

May  have  the  opposite  effect  of 
increasing  disgruntlement  and 
inappropriate  actions. 

technical 

monitoring 

Real-time  measures  to  track  and 
analyze  an  insider’s  online  actions, 
such  as  the  use  of  access  paths  or 
infonnation  and  resources  accessed. 

If  technical  monitoring  is  not  initiated  or 
quality  is  low,  management  may  not  have 
an  accurate  sense  of  the  risk  that  an 
insider  poses  to  the  organization. 

training 

Currently  limited  to  education  of 
employees  on  appropriate  usage  of 
computer  and  network  systems  and  the 
consequences  if  misused. 

Training  quality  affects  the  rate  of 
inappropriate  online  actions  and  attacks 
by  insiders. 

tracking 

Efforts  by  management  to  keep  track 
of  access  paths. 

Poor  tracking  leads  to  high  rates  of  access 
paths  unknown  by  management,  making 
it  more  difficult  to  disable  paths  and 
easier  for  the  insider  to  conceal  his 
actions. 

auditing  and 
disabling 
access  paths 

Efforts  by  management  to  discover, 
understand,  review,  and  disable  access 
paths  available  to  the  insider.  Allows 
comparing  employees’  abilities  and 
efforts  to  access  infonnation,  create 
access  paths,  or  use  access  paths 
against  acceptable  policies  and 
procedures. 

Facilitates  discovery  of  access  paths 
available  to  the  insider.  Poor  audit  allows 
insiders  to  amass  many  unknown  access 
paths  making  it  easier  to  conceal  actions 
and  attack  after  tennination. 

tennination 

threshold 

The  threshold  of  risk  posed  by  the 
insider  to  the  organization  above 
which  management  fires  the  insider. 

Too  high  a  threshold  may  give  a 
malicious  insider  additional  time  to  attack 
the  organization  or  take  technical  actions 
to  set  up  an  attack  following  termination. 
Too  low  a  threshold  may  cause  the 
organization  to  terminate  valuable 
employees  who  just  need  a  little 
intervention  to  solve  their  problems. 

tennination 

time 

The  time  it  takes  the  organization  to 
terminate  an  insider  once  the 
termination  threshold  is  reached. 

If  termination  time  is  too  long  then  the 
insider  may  maintain  authorized  access  to 
the  system  long  enough  to  facilitate  an 
attack. 

Table  1:  Simulation  Effects  of  Policy  Levers 
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6  Modeling  Behavioral  Aspects 

Employee  disgruntlement  was  a  recurring  factor  in  the  Insider  Threat  Study  sabotage  cases, 
predominately  due  to  some  unmet  expectation  by  the  insider.  For  example: 

1 2 

1.  The  insider  expected  certain  technical  freedoms  in  his  “  use  of  the  organization’s 
computer  and  network  systems,  such  as  storing  personal  MP3  files,  but  was  reprimanded 
by  management  for  exercising  those  freedoms. 

2.  The  insider  expected  to  have  control  over  the  organization’s  computer  and  network 
system,  but  that  control  was  revoked  or  never  initially  granted. 

3.  The  insider  expected  recognition  or  prestige  from  management,  but  was  disturbed  upon 
some  event  in  the  workplace,  such  as  being  passed  over  for  a  promotion. 

In  our  model  we  focus  on  the  first  two.  Insider  freedom  thus  represents  freedom  for  the  insider  to 
use  or  control  the  system.  Expected  freedoms  could  be  measured  either  by  the  number  or  extent 
of  privileges  or  on  a  continuous  scale  from  none  to  root  access. 

6. 1  Insider  Expectation  of  Freedom 

Figure  1  depicts  changes  in  the  insider’s  expectations  over  time  based  on  his  actual  freedom  as 
well  as  the  insider’s  predisposition  to  disgruntlement.  This  predisposition  differs  from  one  person 
to  the  next,  and  influences  the  rate  that  expectations  rise  and  fall.  The  rise  of  expectations  is 
influenced  heavily  by  the  actual  freedom  given  insider.  As  illustrated  in  reinforcing  loop  Rl, 
with  lax  management  controls  actual  freedom  grows  commensurate  with  expected  freedoms.  As 
more  freedom  is  allowed,  more  freedom  is  taken;  as  more  freedom  is  taken,  more  is  allowed.  In 
the  model,  it  is  assumed  that  even  lax  management  sets  an  upper  bound  on  the  extent  of 
freedoms  allowed  to  any  employee. 

Lax  management  unintentionally  encourages  escalation  of  expectation.  Expectation  escalation  is 
seen  in  the  simulation  results  in  Figure  2.  The  simulation  starts  off  with  expected  and  actual 
freedom  at  an  equal  value  of  10  freedom  units  -  the  freedom  allowed  any  employee  of  the 
organization  according  to  the  organization’s  appropriate  systems  usage  policy.  With  lax 
management,  some  employees  will  try  to  “push  the  envelope”,  using  the  system  regardless  of  the 
organization’s  usage  policy.  This  is  especially  true  for  insiders  with  a  strong  sense  of  entitlement. 

As  management  allows  the  insider’s  actual  freedom  to  increase  beyond  that  pennitted  by  policy, 
the  insider’s  expectation  also  rises.  As  shown  in  the  figure,  expected  and  actual  freedom  continue 
to  increase  at  an  equal  rate  until  about  week  40,  when  freedom  reaches  a  point  that  even  lax 
management  will  not  pennit  -  more  than  twice  the  freedom  allowed  by  policy.  At  this  point,  the 
insider  expects  slightly  more  than  what  is  permitted;  this  situation  creates  an  equilibrium 
condition  where  unmet  expectation  stays  fairly  constant  over  time. 


12  Ninety-six  percent  of  the  insiders  in  the  Insider  Threat  Study  who  committed  IT  sabotage  were  male.  Therefore, 
male  gender  is  used  to  describe  the  generic  insider  throughout  this  paper. 
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insider's  unmet 


Figure  1:  Expected  freedom  by  insider 

This  simulation  illustrates  a  situation  in  which  lax  management  permits  increasing  freedom  for 
the  insider  that  can  cause  major  problems  later  on,  especially  if  that  insider  has  a  predisposition 
for  disgruntlement.  The  trigger  for  those  major  problems,  which  we  call  the  precipitating  event, 
tends  to  be  anything  that  removes  or  restricts  the  freedom  to  which  the  insider  has  become 
accustomed.  In  the  iAssemble  case,  as  in  some  of  the  cases  in  the  Insider  Threat  Study,  the 
trigger  is  the  hiring  of  a  new  supervisor  who  enforces  the  organization’s  system  usage  policy. 


Expected  freedom  by  insider  - 4 - 4 - 1 - 1 - 1 - 4 - 4—  freedom  units 

actual  freedom  given  insider  —2 - 2 - 2 - 2 - 2 - 2 - 2 - 2  freedom  units 

insider's  unmet  expectation  - 9 - B - 9 - 9 - 9 - 9 - 9 —  freedom  units 


Figure  2:  Expected  &  Actual  Freedom  Growth  with  Lax  Supervisor 
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Figure  3  shows  simulation  results  with  a  new  supervisor  hired  at  week  20  who  enforces  the  usage 
policy,  shown  by  the  drop  in  actual  freedom  given  insider  to  10  freedom  units.  Coincident  with 
the  drop  is  a  commensurate  rise  in  unmet  expectation.  Expectation  rises  (about  40%  in  20  weeks) 
much  faster  than  it  falls,  approaching  its  original  policy  level  at  around  week  92,  assuming  an 
insider  with  a  strong  sense  of  entitlement.  Barring  any  additional  loss  of  freedom,  however, 
expectations  do  fall  gradually  as  the  insider  comes  to  accept  his  new  situation.  Nevertheless,  the 
period  of  high  unmet  expectation  is  one  of  high  risk  for  the  organization  as  explained  below.  The 
additional  drop  in  the  actual  freedom  given  insider  is  also  explained  below. 


Expected  freedom  by  insider  - 4 - 4 - 4 - 4 - 1 - 4 - 4—  freedom  units 

actual  freedom  given  insider  —2 - 2 - 2 - 2 - 2 - 2 - 2 - 2  freedom  units 

insider's  unmet  expectation  - 9 - 3 - 9 - 3 - 9 - e - 3 —  freedom  units 


Figure  3:  Expected  &  Actual  Freedom  with  Strict  Supervisor  Hired  at  Week  20 

6.2  Escalation  of  Disgruntlement  and  Sanctioning 

Figure  4  depicts  part  of  the  model,  influences  of  unmet  expectation  on  the  insider’s  offline 
behavior  and  the  organization’s  response.  Three  additional  stocks  are  introduced: 

•  Insider  disgruntlement :  the  insider’s  internal  feelings  of  discontent  due  to  demands  or 
restrictions  by  the  organization  that  he  perceives  as  unacceptable  or  unfair. 

•  Behavioral  precursors',  observable  aspects  of  the  insider’s  offline/social  behavior  inside 
or  outside  the  workplace  that  might  be  deemed  inappropriate  or  disruptive  in  some  way. 

•  Sanctions',  the  organization’s  punitive  response  to  inappropriate  behaviors.  Sanctions  can 
be  technical,  like  restricting  system  privileges  or  right  to  use  the  organization’s  equipment 
at  home,  or  non-technical,  such  as  demotion  or  formal  reprimand. 

A  generic  measure,  severity  units,  is  used  to  measure  behavioral  precursors,  damage,  and 
disgruntlement. 


13  Throughout  the  paper,  “online  behavior”  refers  to  actions  taken  using  the  computer,  while  “offline  behavior” 
refers  to  social  behaviors  that  are  not  taken  on  the  computer. 
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Reinforcing  loop  R2  in  Figure  4  characterizes  escalation  of  disgruntlement  in  response  to 
sanctions  for  inappropriate  social  behaviors.  As  the  insider’s  unmet  expectations  increase,  Insider 
disgruntlement  increases.  Insiders  exhibit  disgruntlement  by  acting  inappropriately  offline. 
Observable  inappropriate  offline  behaviors  vary;  some  insiders  take  revenge  primarily  online, 
exhibiting  fewer  offline  precursors.  We  assume  that  the  insider’s  predisposition  to  disgruntlement 
indicates  their  tendency  to  engage  in  inappropriate  offline  behavior  before  an  attack. 

Continuing  around  loop  R 2  of  Figure  4,  notice  that  Severity  of  the  actions  perceived  by  org  is 
impacted  by  time  to  realize  insider  responsible . 14  Severity  of  actions  influences  the  extent  of 
sanctioning,  which  further  limits  the  actual  freedom  given  insider.  These  dynamics  explain  the 
second  decrease  in  actual  freedom  in  Figure  3  at  around  week  24,  after  the  new  supervisor 
imposes  sanctions  further  limiting  the  insider’s  freedom.  The  model  in  Appendix  B  also  shows 
that  technical  restrictions  on  the  insider  can  further  limit  the  insider’s  actual  freedom. 

Instead  of  (or  in  addition  to)  punitive  measures,  organizations  may  take  positive  actions  to 
address  an  insider’s  disgruntlement.  Such  actions,  represented  as  employee  intern ention,  include 
referral  to  an  employee  assistance  program  or  counseling.  Balancing  loop  B2  in  Figure  4  reflects 
use  of  employee  intervention  to  address  disgruntlement.  The  organization’s  perception  of  the 
severity  of  the  Behavioral  precursors,  the  observable  manifestation  of  the  insider’s 
disgruntlement,  and  organizational  policies  determine  whether  positive  intervention  or  sanctions 
are  warranted. 


14  Severity  of  actions  perceived  by  org  is  a  smooth  of  several  factors  and  may  also  be  considered  a  stock. 
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Figure  5  shows  the  increase  of  Insider  disgruntlement  due  to  the  insider  s  unmet  expectation  that 
arises  due  to  the  new  supervisor’s  strict  enforcement  of  the  organization’s  usage  policy.  With 
only  minimal  employee  intervention  (0.2  on  a  scale  from  0  to  1),  disgruntlement  rises  to  almost 
three  times  its  nonnal  level  at  about  week  24.  The  predisposed  insider  begins  to  act  out  offline 
and  receives  two  sanctions  during  this  time  period. 


0  16  32  48  64  80  96 


Time  (week) 

Insider  disgruntlement  —4 - 4 - 1 - 4 - 4 - 4 - 1 1 - 4—  severity  units 

Sanctions  -2 - 2 - 2 - 2 - 2 - 2 - 2 - 2 - 2 - 2 - 2 - 2 -  sanctions 

employee  intervention  - 3 - 3 - 3 - 3 - 3 - 3 - 3 - 3 - 3 -  fraction 

Figure  5:  Escalation  of  Disgruntlement  and  Sanctioning  with  Minimal  Intervention 

Figure  6  provides  a  notional  view  of  how  proactive  employee  intervention  can  decrease  both 
disgruntlement  and  the  sanctions  needed  to  address  inappropriate  behavior  arising  from  that 
disgruntlement.  In  this  case,  even  the  predisposed  insider  is  much  less  disgruntled  and  warrants 
less  of  a  punitive  response,  i.e.  only  one  sanction.  One  nice  aspect  of  employee  intervention  is 
that  by  treating  disgruntlement  directly,  there  is  less  need  for  punishment  and  corresponding  less 
disgruntlement  caused  by  the  punishment.  Thus,  when  intervention  works  it  is  a  win-win 
situation  for  both  the  organization  and  its  employees.  We  are  still  investigating  the  general 
characteristics  of  the  insider  and  the  intervention  itself  that  underlie  the  success  of  the  approach. 

7  Modeling  Technical  Attack  Aspects 

As  previously  mentioned,  an  organization’s  full  awareness  of  access  paths  available  to  an  insider 
is  critical  to  being  able  to  disable  those  access  paths  when  needed.  Two  stocks  model  this 
dependency:  Insider  access  paths  unknown  to  org  and  Insider  access  paths  known  to  org. 

Figure  7  shows  the  flows  between  these  two  stocks: 

•  forgetting  paths  flow  :  Management  or  the  IT  staff  may  forget  about  known  paths, 
making  them  unknown.  For  example,  a  manager  might  authorize  a  software  developer’s 
request  for  the  system  administrator  password  during  a  time  of  heavy  development,  but  if 
a  formal  list  of  employees  with  access  to  that  password  is  not  maintained  then  the 
manager  could  forget  that  decision  over  time,  or  the  manager  could  leave  the 
organization,  leaving  no  “organizational  memory”  of  the  decision. 
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•  discovering  paths  flow:  Management  or  the  IT  staff  can  discover  unknown  paths,  making 
them  known.  Discovery  can  be  accomplished  by  auditing,  for  example,  when  new 
accounts  could  be  discovered  with  system  administrator  or  privileged  access  that  were 
previously  unknown  to  management. 

Insiders  can  acquire  new  paths  unknown  to  the  organization  via  the  acquiring  unknown  paths 
flow.  Finally,  organizations  can  disable  known  paths  via  the  disabling  known  paths  flow.  This 
stock  and  flow  structure  is  used  in  the  refinement  of  the  technical  aspects  of  the  model  described 
in  the  section  below. 


Insider  disgruntlement  -H - t - 1 - t - t - 1 1 - t - 1—  severity  units 

Sanctions  -2 - 2 - 2 - 2 - 2 - 2 - 2 - 2 - 2 - 2 - 2 - 2 -  sanctions 

employee  intervention  - 3 - 3 - 3 - 3 - 3 - 3 - 3 - 3 - 3 -  traction 


Figure  6:  Disgruntlement  and  Sanctioning  with  Proactive  Intervention 
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Figure  7;  Access  Path  Stocks  and  Flows 


7.1  Attack  Setup  and  Concealment 

As  discussed  earlier,  an  insider’s  predisposition  to  disgruntlement  and  unmet  expectations  can 
lead  to  increasing  disgruntlement  which,  if  left  unchecked,  can  spur  not  just  behavioral 
precursors  but  technical  disruptions  and  attacks  on  the  organization’s  computer  and  network 
systems.  Prior  to  the  actual  attack,  there  are  typically  Technical  precursors  -  actions  by  the 
insider  to  either  set  up  the  attack  (for  example,  installation  of  a  logic  bomb)  or  to  put  in  place 
mechanisms  to  facilitate  a  future  attack  (for  example,  creation  of  backdoor  accounts  to  be  used 
later  for  the  attack).  These  online  Technical  precursors  could  serve  as  an  indicator  of  a  pending 
attack  if  detected  by  the  organization.  Figure  8  depicts  the  influence  that  insider  disgruntlement 
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can  have  on  the  occurrence  of  Technical  precursors  that  could  indicate  a  pending  attack.  The 
figure  shows  that  both  unknown  and  known  access  paths  can  be  used  to  set  the  stage  for  attack. 


time  to  realize  insider  desire 


The  extent  to  which  insiders  rely  on  unknown  access  paths  depends  on  their  desire  to  conceal 
actions.  Insiders  who  do  not  care  whether  they  are  caught,  or  insiders  acting  impulsively  (often 
out  of  the  passion  of  the  moment),  may  use  both  known  and  unknown  paths  in  their  attack. 
Insiders  who  are  particularly  risk  averse  may  only  attack  using  access  paths  that  are  unknown  to 
the  organization.  Of  course,  an  insider  may  not  know  whether  the  organization  is  aware  of  a 
particular  access  path  or  not.  Nevertheless,  in  either  case,  insiders  generate  Technical  precursors 
that  suggest  suspicious  activity.  To  perceive  the  severity  of  these  precursors,  the  organization 
must  have  a  technical  monitoring  quality  sufficient  to  detect  the  precursors  in  the  first  place. 

7.2  Attack  Escalation 

As  shown  in  Figure  9,  Insider  disgruntlement  contributes  directly  to  the  rate  of  inappropriate 
technical  actions  taken  by  the  insider,  especially  actions  that  facilitate  the  attack.  Some  of  these 
actions  also  contribute  to  the  damage  potential  of  the  attack.  Examples  include  sabotage  of 
backups  and  decreases  in  the  redundancy  of  critical  services  or  software. 

Since  insiders  in  most  sabotage  cases  studied  were  motivated  by  revenge,  the  model  assumes  that 
the  actual  attack  occurs  once  the  damage  potential  reaches  an  attack  threshold  defined  by  the 
insider,  provided  that  the  disgruntlement  level  is  sufficiently  high.  Multiple  attacks  may  be 
executed  provided  that  a  sufficient  number  of  access  paths  are  available  to  set  up  and  execute  the 
subsequent  attacks.  If  the  attack  execution  is  autonomous  (for  example  a  logic  bomb  set  to  go  off 
when  the  system  reaches  a  certain  state)  the  insider  may  need  no  access  paths  to  the 
organization’s  critical  systems  in  order  to  execute  the  attack.  In  such  a  case,  the  planting  of  the 
logic  bomb  could  actually  be  considered  to  be  the  attack. 

Figure  10  shows  the  simulation  results  with  predisposition  for  technical  sabotage  and  insider 
desire  to  conceal  actions  set  to  1 .  Insider  disgruntlement  rises  to  its  highest  level  at  about  week 
35  after  which  the  attack  is  executed.  At  week  20,  prior  to  the  attack,  Behavioral  precursors  are 
the  first  observables  indicating  the  insider’s  disgruntlement.  About  4  weeks  later  the  Technical 
precursors  start  to  appear.  We  believe  that  this  pattern  of  behavioral  disruption  before  technical 
disruption  is  common  among  many  insiders. 

Some  insiders  install  unauthorized  tools  for  non-malicious  purposes  immediately  after  they  are 
hired.  For  example,  one  system  administrator  installed  a  root  kit  -  a  “hacker”  tool  used  to 
maintain  access  to  a  system  without  the  owner’s  knowledge.  These  tools  provide  insiders  with 
unauthorized  access  that  makes  their  work  more  convenient.  These  actions  are  technical 
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precursors  that  increase  risk  of  an  attack  if  that  insider  ever  becomes  angry  enough  to  take 
revenge  on  his  employer. 

The  severity  of  the  technical  precursors  rises  above  the  severity  of  the  behavioral  precursors  at 
about  the  time  of  the  attack.  Attack  damage,  which  for  obvious  reasons  has  severity  much  higher 
than  the  behavior  or  technical  precursors,  occurs  immediately  at  the  time  of  the  attack.  Technical 
precursors  level  off  immediately  after  the  attacks  because  disgruntlement  is  greatly  reduced  by 
attack  execution.  We  are  still  investigating  the  exact  relationship  between  attack  execution  and 
insider  disgruntlement,  but  we  believe  that  the  behavior  exhibited  by  the  current  model  to  be 
representative  of  the  insider  sabotage  cases  in  our  study. 


attack 


Time  (week) 

executing  attack  - 1 - 1 - i - 1 - 1 - 1 - 1 -  event 

terminating  insider  - 2 - 2 - 2 - 2 - 2 - 2 - 2-  event 

Insider  disgruntlement  — 9 - 9 - 9 - 9 - 9 - 9 -  severity  units 

Behavioral  precursors  - 4 - 4 - 4  4 - 4 - 4—  severity  units 

Technical  precursors  - 6 - 5 - 6 - 6 - 5 - 5  severity  units 

Attack  damage  — 6 - 6 - 8 - 6 - 6 - 6 -  severity  units 


Figure  10:  Attack  Simulation 
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8  Modeling  Technical  Defense  Aspects 

In  the  fictional  case,  i Assembled  defenses  against  insider  attack  were  purely  reactive,  based  on 
severity  of  insider  actions  and  risk  subsequently  perceived.  Figure  11  depicts  two  defensive 
actions: 

•  Auditing  the  organization’s  systems  to  discover  unknown  access  paths  available  to  the 
insider  -  Auditing  must  be  followed  by  disabling  those  paths  (loop  B3)  for  this  defense  to 
have  significant  effect.  It  is  possible,  however,  that  an  organization’s  discovery  of  access 
paths  would  be  a  sufficient  deterrent  for  a  risk-averse  insider  if  the  insider  knows  the 
organization  has  discovered  the  paths. 

•  Reducing  the  insider  s  access  path  creation  ability  (loop  B4)  -  This  defense  reduces  the 
insider’s  ability  to  acquire  new  unknown  paths. 

Both  of  these  defenses  target  access  paths  that  may  be  used  by  the  insider  to  set  up  or  execute  an 
attack.  A  risk-averse  insider,  who  will  not  attack  unless  he  can  conceal  his  actions,  will  have  less 
incentive  to  attack  if  unknown  access  paths  are  disabled.  Known  access  paths  can  also  be 
disabled  if  they  are  not  needed  by  the  insider  to  perform  critical  job  functions. 

If  an  organization  disables  the  access  paths  required  to  fulfill  the  insider’s  job  responsibilities,  his 
performance  and  the  organizational  mission  may  be  negatively  impacted.  However,  if  the 
perceived  risk  is  sufficiently  high,  the  organization  may  choose  to  disable  the  insider’s  access 
paths  anyway.  Within  the  simulation  run,  if  the  risk  reaches  a  termination  threshold,  the  insider  is 
fired  and  all  known  access  paths  are  immediately  disabled.  Of  course,  any  unknown  access  paths 
still  available  to  the  insider  may  be  used  to  set  up  and  execute  an  attack. 


Figure  11:  Risk-based  Auditing  and  Access  Path  Disabling 
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Figure  12  shows  the  results  of  executing  the  model  with  audit  quality  set  at  50%,  the  same  level 
of  audit  used  to  generate  the  results  for  Figure  10.  In  Figure  12,  however,  the  number  of  access 
paths  available  to  the  insider  is  shown,  both  known  and  unknown  to  the  organization,  over  time. 
The  insider  is  terminated  at  about  week  32;  all  known  access  paths  are  disabled  at  time  of 
tennination.  However,  with  audit  quality  at  50%,  the  insider  still  has  enough  unknown  access 
paths  to  continue  to  set  up  and  execute  the  attack  at  about  week  38. 

To  test  the  effects  of  auditing,  Figure  13  shows  the  results  using  the  same  parameter  settings 
except  that  audit  quality  is  set  to  80%.  Here,  the  higher  level  of  audit  quality  keeps  the  number  of 
access  paths  unknown  to  the  organization  sufficiently  low  so  that  no  attack  can  be  executed, 
before  or  after  termination.  The  Technical  precursors  suggest  that  the  insider  started  to  set  up  the 
attack,  but  the  organization’s  defenses  were  sufficient  to  stop  the  insider  before  he  reached  the 
attack  threshold.  For  an  attack  threshold  of  severity  2,  the  tipping  point  for  the  attack  is  an  audit 
quality  of  between  68%  and  69%.  Future  work  will  determine  what  it  means  for  an  audit  process 
to  be  of  a  certain  quality.  Of  particular  interest  will  be  the  characteristics  of  an  audit  at  the 
tipping  point  for  an  attack. 


Time  (week) 


executing  attack  - 1 1 1 - 4 - 4 - 4 - 4 -  event 

terminating  insider  - 2 - 2 - 2 - 2 - 2 - 2 - 2-  event 

Behavioral  precursors  — 0 - 8 - 3 - 3 - 3 - 3 -  severity  units 

Technical  precursors  - 4 - 4 - 4 - 4 - 4 - 4 —  severity  units 

Insider  access  paths  known  to  org  - 5 - 6 - 3 - 5 - 5-  access  paths 

Insider  access  paths  unknown  to  org  - 6 - 6 - 6 - 6 -  access  paths 

Figure  12:  Attack  Simulation  with  Audit  Quality  at  50% 
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executing  attack  1 - 1 - 1 - 1 - 1 - 1 - 1 —  event 

terminating  insider  2 - 2 - 2 - 2 - 2 - 2 - 2-  event 

Behavioral  precursors  — 3 - 3 - 3 - 3 - 3 - 3 severity  units 

Technical  precursors  - 4 - 4 - 4 - 4 - 4 - 4 —  severity  units 

Insider  access  paths  known  to  org  - 5 - 5 - 5 - 5 - 5-  access  paths 

Insider  access  paths  unknown  to  org  6 - 6  6 - 6 -  access  paths 

Figure  13:  Attack  Simulation  with  Audit  Quality  at  80% 

9  Exhibiting  the  iAssemble  Reference  Mode 

This  section  demonstrates  that  the  MERIT  model  exhibits  the  behavior  of  the  iAssemble  case. 
Since  the  iAssemble  case  is  representative  of  a  preponderance  of  sabotage  cases  analyzed  in  the 
Insider  Threat  Study,  we  believe  this  model  represents  key  issues  in  insider  IT  sabotage  cases. 
From  this  we  infer  that  the  model  is  useful  for  identifying  and  analyzing  the  solution  space, 
which  includes  policy,  procedural,  and  technical  measures  that,  when  used  together,  can 
significantly  help  prevent  or  detect  insider  IT  sabotage. 

Figure  14  shows  the  increasing  gap  between  the  perception  of  the  insider’s  access  paths  and  the 
actual  access  paths  available  to  him,  which  has  the  same  general  pattern  as  in  the  iAssemble  case 
of  Figure  19. 
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executing  attack  - 4 - 4 - 4 - 4 - 4 - 4 - 4 - 4 - 4  event 

terminating  insider  — 2 - 2 - 2 - 2 - 2 - 2 - 2 - 2 -  event 

Insider  access  paths  known  to  org  — 9 - S - 3 - 3 - 3 —  access  paths 

Insider's  actual  access  paths  - 4 - 4 - 4 - 4 - 4 - 4-  access  paths 


Figure  14:  Exhibiting  the  iAssemble  Problematic  Behavior 


This  perception  gap  indicates  an  erosion  of  the  organization’s  control  of  access  to  its  systems. 
Access  control  quality  (ACQ)  is  defined  as  follows: 

access  control  quality 

=  wu  x  unknown  path  access  control  quality 
+  wkx  known  path  access  control  quality 

where 


•  w„  is  the  weight  that  the  organization  gives  to  unknown  access  paths  to  determine  the 
access  control  quality 

•  Wk  is  the  weight  that  the  organization  gives  to  known  access  paths  to  determine  the  access 
control  quality  and  is  equal  to  (1-  wu) 

So  access  control  quality  is  perfect  if  and  only  if  unknown  path  access  control  quality  is  perfect 
and  known  path  access  control  quality  is  perfect. 

We  further  define 


unknown  path  access  control  quality 

„  .  ,  ..  .  _  _  f  Insider  access  paths  unknown  to  org ) 

=  effect  of  access  paths  on  ACQ  - - - — 

^  max  reasonable  paths 


known  path  access  control  quality 


f 

=  effect  of  access  paths  on  ACQ 


v 


extraneous  access  paths  known  to  org 
max  reasonable  paths 


\ 
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where 

•  max  reasonable  paths  is  the  number  of  access  paths,  known  or  unknown,  beyond  which 
no  additional  benefit  is  gained  by  the  insider. 

•  paths  insider  needs  to  do  job  is  the  minimum  number  of  access  paths  the  insider  needs  to 
fulfill  his  job  responsibilities 

The  function  effect  of  access  paths  on  ACQ,  shown  in  Figure  15, 


0  1 


Figure  15:  Function  Defining  Effect  of  Access  Paths  on  Access  Control  Quality 

The  above  assumes  that  an  organization  has  perfect  control  of  an  employees’  access  if  the 
following  conditions  hold: 

1 .  The  employees  have  no  access  paths  unknown  to  the  organization. 

2.  The  employees  have  access  only  to  access  paths  needed  to  do  the  job. 

Employees  with  access  to  paths  not  meeting  one  of  those  two  conditions  indicate  an  access 
control  lapse.  The  model’s  access  control  metric  weighs  access  control  lapses  in  condition  1 
more  heavily  than  those  in  condition  2.  The  graph  of  access  control  over  time  is  shown  in  Figure 
16.  This  figure  has  the  same  general  shape  as  given  in  the  explanation  for  the  i Assemble  attack 
given  in  Figure  18.  The  rate  of  acting  inappropriately  online  roughly  captures  the  sharing  of 
passwords  and  the  installation  of  a  backdoor  prior  to  the  termination  and  the  unauthorized  access 
and  planting  of  the  logic  bomb  during  and  after  termination. 
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0  16  32  48  64  80  96 

Time  (week) 

executing  attack  - 4 - 4 - 4 - 1 - 4 - 4 - 1 - 4 - 4  event 

terminating  insider  — 2 - 2 - 2 - 2 - 2 - 2 - 2 - 2 -  event 

access  control  quality  — B - 0 - S - 3 - 3 - 3 - 3 - 3-  fraction 

acting  inappropriately  online  — 4 - 4 - 4 - 4 - 4-  severity  units/week 


Figure  16:  Explanation  for  iAssembie  Attack  (Simulation) 

10  Conclusion 

The  MERIT  project  was  initiated  as  a  proof  of  concept  -  to  determine  whether  or  not  an  effective 
interactive  learning  environment  could  be  developed  to  teach  executives,  managers,  technical 
staff,  human  resources,  and  security  officers  the  complex  dynamics  of  the  insider  threat  problem. 
An  appropriate  ILE  must  be  intuitive  enough  to  be  easily  understood  by  practitioners  who  have 
most  likely  never  heard  of  system  dynamics. 

The  steps  required  to  develop  the  ILE  are: 

•  Gather  and  analyze  extensive  insider  threat  cases  (completed  -  Insider  Threat  Study) 

•  Scope  the  problem  for  the  model  (completed  -  IT  sabotage  cases) 

•  Put  together  team  of  experts  (completed  -  team  consists  of  experts  in  insider  threat, 
system  dynamics,  technical  security,  psychology) 

•  Build  the  model  (in  progress  -  current  model  described  in  this  paper) 

•  Run  simulations  for  initial  testing  and  calibration  of  the  model  (in  progress  -  some 
simulations  described  in  this  paper) 

•  Create  training  materials  to  accompany  the  model  and  ILE  (student  led  development  of 
training  materials  document  as  part  of  student  project  report  (Desai  2006)) 


At  this  point,  the  MERIT  team  feels  confident  that  an  effective  model  that  conveys  important 
lessons  regarding  insider  threat  has  been  created.  The  simulations  accurately  mimic  the  patterns 
and  trends  in  the  majority  of  the  cases  in  the  Insider  Threat  Study.  Further  calibration  and 
validation  of  the  model  is  still  necessary  before  it  can  be  released  for  educational  or  training  use. 
In  addition,  extensive  user  interface  testing  will  be  required  to  develop  an  intuitive  interface  and 
accompanying  training  materials  before  it  can  be  used  in  an  actual  training  class. 
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In  addition  to  training,  the  MERIT  team  plans  to  present  the  model  to  experts  in  technical 
security,  human  resources,  and  organizational  dynamics  to  calibrate  it  accurately  so  that  it  can  be 
used  for  additional  insights  into  the  insider  threat  problem  and  effective  countenneasures. 
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Appendix  A:  The  iAssemble  Training  Case15 

iAssemble  sells  computer  systems  directly  to  customers,  building  each  system  made-to-order  and 
offering  competitive  prices.  iAssemble  has  been  doing  extremely  well  and  conducted  an  initial 
public  offering  (IPO)  in  2001,  after  which  its  stock  doubled. 

Organization  Background 

iAssemble  is  headed  by  Chris  Eagles,  who  is  the  Chief  Executive  Officer  (CEO).  Eagles  started 
the  company  in  1997  with  two  of  his  friends,  Carl  Freeman  and  Caroline  Thompson,  who  are 
now  the  Chief  Financial  Officer  (CFO)  and  Chief  Technical  Officer  (CTO),  respectively.  The 
company  had  continually  hired  experienced  managers  and  employees  over  time. 

Ian  Archer,  the  malicious  insider,  was  among  the  few  employees  who  had  been  with  iAssemble 
since  its  establishment.  Archer  started  out  as  computer  specialist  and  technical  assistant  to  the 
three  original  founders,  Eagles,  Freeman,  and  Thompson.  When  hired,  Archer  held  certifications 
in  personal  computer  (PC)  hardware  maintenance  and  operating  system  administration  but  did 
not  possess  a  four-year,  baccalaureate  degree.  He  compensated  for  his  lack  of  education  with 
hard  work  and  over  the  next  four  years  he  became  the  sole  system  administrator  at  iAssemble. 

iAssemble  grew  at  a  moderate  rate.  Recognizing  the  need  for  qualified  personnel,  Eagles  and 
Thompson  began  to  hire  experienced  system  administrators  who  could  also  function  as  project 
managers.  Lance  Anderson  was  hired  as  lead  system  administrator  because  of  his  education  and 
qualifications,  and,  James  Allen  was  hired  as  a  Junior  System  Administrator  to  share  Archer’s 
growing  systems  administration  workload  and  responsibilities. 

Insider  Situation 

Ian  Archer  had  always  been  responsible  for  the  software  that  ran  the  assembly  machinery,  and 
played  an  important  role  when  iAssemble  automated  its  PC  assembly  processes. 

Archer’s  disgruntlement  grew  steadily  over  the  course  of  several  months  due  to  the  growth  and 
associated  changes  at  iAssemble.  When  Anderson  was  handpicked  for  the  Lead  Administrator 
position  by  Caroline  Thompson,  Archer  began  to  feel  confined  in  his  current  role  and  saw  limited 
opportunities  for  advancement.  Policy  changes  by  Anderson  meant  that  Archer  could  no  longer 
work  with  the  freedom  he  had  always  enjoyed.  He  began  receiving  detailed  instructions  on  how 
to  work  and  felt  “micro-managed.”  Archer’s  performance  slumped,  prompting  Anderson  and 
senior  management  to  look  to  others,  such  as  Allen,  for  important  projects.  As  a  result,  Archer 
felt  detached  from  the  new  culture  at  iAssemble,  its  leadership,  and  its  continuing  success. 

Archer  was  assigned  to  mentor  Allen  and  ensure  his  smooth  assimilation  within  iAssemble ’s 
culture.  Archer  and  Allen  worked  on  a  few  small  projects  together  but  Archer  felt  that  the 
projects  were  too  menial  for  his  technical  skills.  He  found  Allen  to  be  nearly  as  technically 
competent  as  himself,  which  contributed  to  his  frustration.  While  working  on  one  of  these 
projects,  Allen  shared  the  password  to  his  personal  desktop  machine  at  iAssemble,  named 


15  The  iAssemble  organization  and  case  example  are  completely  fictional,  any  unintentional  resemblance  to  a  real 
organization  or  insider  threat  case  is  unintentional. 
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Kilimanjaro,  with  Archer.  Sharing  the  password  enabled  each  of  them  to  access  the  project  files 
when  the  other  was  out  of  the  office. 

Archer’s  disgruntlement  grew,  and  he  openly  proclaimed  that  Anderson,  was  just  a  namesake.  If 
anyone  disagreed  he  verbally  abused  them  until  they  backed  down  and  apologized.  He  even 
bottlenecked  projects  on  purpose  on  several  occasions,  stalling  his  work  on  the  project  to  ensure 
Anderson  and  the  project  team  missed  project  milestones.  Archer  received  a  written  warning 
from  Thompson  after  several  co-workers  formally  complained.  Enraged  by  this,  he  had  a  heated 
argument  with  a  team  member  who  then  quit  the  very  next  day,  citing  Archer  as  the  reason  for 
his  resignation.  Archer  was  suspended  for  a  day  without  pay  and  received  a  cut  in  his  salary. 

At  this  point  Thompson  became  more  cautious  regarding  Archer  and  wanted  to  fire  him. 
Anderson  warned  that  firing  a  disgruntled  system  administrator  was  a  complicated  task.  Almost 
every  company  he  worked  for  had  access  control  gaps  that  would  allow  an  ill-tempered,  ex¬ 
employee  to  cause  system  damage.  He  suspected  such  a  scenario  existed  for  iAssemble,  and  in 
the  face  of  Archer’s  firing,  could  be  risky.  Anderson  believed  that  yearly  audits  iAssemble 
conducted  lacked  proper  vigor  and  documentation,  and  there  was  no  way  to  be  certain  that  they 
had  reduced  their  risk  to  sabotage  by  a  fonner  employee.  A  decision  was  made  to  increase  audits 
of  access  control  quality  and  access  management.  The  audits  would  begin  immediately. 

Insider  Attack 

After  the  blowup  with  his  team  member  and  the  subsequent  salary  cut,  Archer  had  the  feeling 
that  he  would  soon  be  fired.  He  decided  that  he  needed  to  have  the  means  to  get  back  at 
iAssemble  in  the  event  that  his  worst  fears  came  true. 

The  audits  revealed  a  great  deal  about  iAssemble’s  access  management.  Many  access  paths,  both 
of  present  and  past  employees,  were  discovered  which  should  have  been  disabled.  Dummy 
accounts  were  discovered  which  were  created  for  testing  and  debugging  purposes  but  never 
deleted;  a  few  had  even  been  created  by  Archer.  These  access  paths  were  promptly  disabled. 
Thompson  felt  there  was  steady  progress  being  made  and  deemed  the  audit  an  excellent  decision. 

In  the  meantime,  Archer  planted  a  backdoor  on  the  main  machinery  server  that  provided  him 
with  unauthorized  access.  Archer’s  immediate  anger  with  iAssemble  was  alleviated  a  little  after 
this  act,  but  he  was  still  disgruntled. 

Archer  became  infuriated  when  he  overheard  that  management  was  planning  to  fire  him.  He 
decided  to  wait  until  after  his  termination,  then  seek  revenge.  Two  days  later,  on  December  14, 
2001,  Archer  was  fired  and  his  access  disabled.  Unfortunately,  iAssemble  managers  were  not 
aware  that  he  knew  the  password  to  Kilimanjaro,  James  Allen’s  iAssemble  machine,  and  did  not 
think  to  change  it.  Archer  went  home  the  night  he  was  fired  and  successfully  logged  into 
Kilimanjaro.  He  then  used  his  backdoor  on  the  machinery  server  to  plant  the  logic  bomb.  He  did 
the  same  on  both  of  the  backup  servers.  He  cleverly  set  it  to  go  off  two  months  from  that  date  to 
deflect  suspicion  from  him.  Figure  17,  below,  shows  Ian  Archer’s  attack  method. 

On  February  14,  2002,  the  logic  bomb  went  off,  deleting  all  files  on  the  machinery  server  and  its 
backup  servers,  leaving  the  assembly  lines  at  iAssemble  frozen. 
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Organization’s  Response 

When  investigators  suggested  the  possibility  of  insider  attack,  management  was  puzzled  as  to 
how  that  was  possible  in  light  of  the  increased  monitoring,  policies  and  best  practices  in  place  at 
iAssemble.  Eventually,  the  system  logs  were  used  to  trace  the  access  to  the  machinery  server 
from  Kilimanjaro .  James  Allen  claimed  that  he  was  innocent  and  explained  that  he  had  given  the 
password  to  his  machine  to  Archer  when  they  worked  together. 

Ian  Archer  was  soon  arrested,  but  iAssemble  was  left  on  shaky  ground.  Their  share  prices 
plummeted  and  their  image  in  the  market  was  blemished. 

Management  concluded  that  growth  took  its  toll  at  iAssemble  with  the  company  facing  access 
control  and  employee  disgruntlement  issues.  With  a  whopping  growth  in  sales  figures  of  68% 
over  the  past  quarter,  iAssemble  was  rapidly  hiring  good  and  efficient  people.  However,  this 
situation  created  competition  for  positions  within  iAssemble,  leading  to  job  dissatisfaction 
among  some  employees.  Access  control  quality  also  eroded  over  time  with  employees  under 
pressure  to  meet  deadlines  and  subsequently  violating  security  policies.  Figure  18  depicts  the 
dynamics  that  occurred  at  iAssemble. 


Machineiy  Network  Firewalled 
from  Internal  Network 


Figure  17:  Insider’s  Method  of  Attack 
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Explanation  for  iAssemble  Attack 


Despite  iAssemble’s  efforts  to  maintain  information  security  best  practices,  security  policy 
enforcement  became  lax  in  support  of  the  culture  of  growth  at  all  costs.  Hence,  access  control 
deteriorated  over  time. 

When  iAssemble  management  realized  that  they  needed  to  increase  monitoring  and  audits,  they 
started  out  on  the  right  foot.  The  steps  they  took  ensured  that  management’s  knowledge  of  their 
employees’  access  paths  increased.  However,  the  skew  between  management’s  knowledge  of 
Archer’s  access  paths  and  the  actual  access  paths  that  Archer  had,  was  not  fully  overcome  by  the 
time  Archer  was  fired,  and  iAssemble  could  not  disable  all  of  his  access  paths  in  time.  Hence, 
Archer  was  able  take  advantage  of  the  residual  access  that  he  had,  as  shown  in  Figure  19. 
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Problematic  Behavior  -  Insider  Access  Paths 
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Appendix  B:  Simulation  Model  Overview 
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